-
The Crossfire Attack
Min Suk KangECE Department and CyLabCarnegie Mellon
University
Email: [email protected]
Soo Bum LeeCyLab
Carnegie Mellon UniversityEmail: [email protected]
Virgil D. GligorECE Department and CyLabCarnegie Mellon
University
Email: [email protected]
Abstract—We present the Crossfire attack – a powerfulattack that
degrades and often cuts off network connections to avariety of
selected server targets (e.g., servers of an enterprise,a city, a
state, or a small country) by flooding only a fewnetwork links. In
Crossfire, a small set of bots directs low-intensity flows to a
large number of publicly accessible servers.The concentration of
these flows on the small set of carefullychosen links floods these
links and effectively disconnectsselected target servers from the
Internet. The sources of theCrossfire attack are undetectable by
any targeted servers, sincethey no longer receive any messages, and
by network routers,since they receive only low-intensity,
individual flows that areindistinguishable from legitimate flows.
The attack persistencecan be extended virtually indefinitely by
changing the set ofbots, publicly accessible servers, and target
links while main-taining the same disconnection targets. We
demonstrate theattack feasibility using Internet experiments, show
its effectson a variety of chosen targets (e.g., servers of
universities, USstates, East and West Coasts of the US), and
explore severalcountermeasures.
I. INTRODUCTION
Botnet-driven distributed denial-of-service (DDoS) at-tacks
which flood selected Internet servers have been knownfor some time
[1, 2, 3, 4]. In contrast, link-flooding attacksthat effectively
disconnect chosen Internet servers have beenuncommon, possibly
because of the complexity of selectiveserver targeting. Instead,
most of these attacks cause routeinstabilities [5] and Internet
connectivity disruption [6, 7]rather than selective end-server
disconnection (reviewed inSection VII). Nevertheless, when the aim
of an attack isto cut off critical infrastructure (e.g., energy
distribution,time-critical finance, command and control services)
fromthe Internet, link flooding can be extremely effective;
e.g.,current peak rates of a single botnet-driven attack can
easilyexceed 100 Gbps [8], making it possible to flood the
vastmajority of Internet links.
Link flooding by botnets cannot be easily countered byany of the
current Internet defense methods for three reasons.First, bots can
use valid IP addresses, and thus defensesbased on detecting or
preventing use of spoofed IP addressesbecome irrelevant; e.g.,
defenses based on ingress filter-ing [9], capability systems [10,
11], or accountable protocoldesigns [12, 13]. Second, and more
insidiously, botnets canflood links without using unwanted traffic;
e.g., they cansend packets to each other in a way that targets
groups of
routers [7]. Third, a botnet can launch an attack with
low-intensity traffic flows that cross a targeted link at roughly
thesame time and flood it; e.g., a botnet controller could com-pute
a large set of IP addresses whose advertised routes crossthe same
link (i.e., decoy IPs), and then direct its bots tosend
low-intensity traffic towards those addresses. This typeof attack,
which we call the Crossfire attack1 and describe inthis paper, is
undetectable by any server located at a decoyIP address, and its
effects are invisible to an ISP until (too)late2. Furthermore,
current traffic engineering techniquesare unable to counter these
attacks. The latency of offlinetraffic engineering is impractically
high (e.g., hours anddays [15, 16]) whereas online traffic
engineering techniquescannot offer strong stability guarantees
[17], particularlywhen multiple ISPs need to coordinate their
responses tocounter an attack, and hence cannot be deployed in
theInternet backbone. Worse yet, even if online techniquescould be
deployed, an adversary attack could change theset of target links
in real time thereby circumventing onlinetraffic engineering
defenses; viz., discussion in Section IV.
In this paper, we present the Crossfire attack. This attackcan
effectively cut off the Internet connections of a
targetedenterprise (e.g., a university campus, a military base, a
setof energy distribution stations); it can also disable up to53%
of the total number of Internet connections of someUS states, and
up to about 33% of all the connections ofthe West Coast of the US.
The attack has the hallmarks ofInternet terrorism3: it is low cost
using legitimate-lookingmeans (e.g., low-intensity, protocol
conforming traffic); itslocus cannot be anticipated and it cannot
be detected untilsubstantial, persistent damage is done; and most
importantly,it is indirect: the immediate target of the attack
(i.e., selectedInternet links) is not necessarily the intended
victim (i.e., anend-point enterprise, state, region, or small
country). Thelow cost of the attack (viz., Section IV), would also
enable
1This attack should not be confused with that of Chou et al.
[14], whichalso uses the term “crossfire” for a different purpose;
i.e., to illustrateunintentionally dropped legitimate flows.
2Of course, an adversary could easily change the set of bots
used in theattack; e.g., typical networks of 1M bots would allow
one hundred disjoint,and a very large number of different sets of
10K bots.
3Although common agreement on a general definition of terrorism
doesnot exist, the means of attack suggested here are common to
most terroristattacks in real life.
2013 IEEE Symposium on Security and Privacy
1081-6011/13 $26.00 © 2013 IEEEDOI 10.1109/SP.2013.19
127
-
a perpetrator to blackmail the victim.The main contributions of
this paper can be summarized
as follows:1) We introduce the Crossfire attack in the Internet
and
show how it can isolate a target area by flooding care-fully
chosen links. In particular, we show that it requiresrelatively
small botnets (e.g., ten thousand bots) and islargely independent
of the bot distribution. It has no effectivecountermeasure at
either target routers or end-point servers,and as a result, it can
degrade and even cut off connectionsto selected Internet areas
ranging from a single organizationto several US states, for a long
time.
2) We show the feasibility of the Crossfire attack withdata
obtained from large-scale experiments. In particular,our analysis
of Internet traffic to targets shows that veryfew carefully chosen
links are responsible for delivering thevast majority of all
traffic to a specific area, a fact whichmakes this attack fairly
easy to launch. Traffic concentrationin a small set of links
located a few (e.g., three to four)hops away from a targeted area
is intuitively attributable tothe shortest path routing by the
Internet IGP/BGP protocols,and easily discoverable by common tools
such as traceroute.We show that the attack traffic on these links
follows apower-law distribution that depends on the targeted
serversand cannot be anticipated by generic
Internet-connectivitymetrics; e.g., metrics based on router
connectivity [18, 19]or betweenness centrality [20].
3) We show that the Crossfire attack is persistent in thesense
that it cannot be stopped either by individual ISPs orby end-point
servers, which are effectively disconnected byflooded links at
least three hops away, for a long time. Attackpersistence is caused
by three independent factors. First, theselected attack routes
become stable after the removal ofall load balancing dynamics
(which is consistent with priorobservations [21]). Second, the
attack traffic is shaped suchthat (i) only a data plane of a link
is flooded while thecontrol plane remains unaffected, and hence
dynamic re-routing can be initiated only after data-plane flood
detection,which gives an adversary ample time to select alternate
setsof links for the same target area; and (ii) early congestionof
links located upstream from a targeted link is avoided bya priori
estimation of the bandwidth available on the routeto that link.
Third, the availability of multiple, disjoint setsof target links
distributed across multiple ISPs implies thatno single ISP can
unilaterally detect and handle this attack.
4) We argue that collaborative on-line, rather than
offline,traffic engineering techniques would become necessary
toreduce the persistence of such attacks. In the absence ofsuch
measures, the Crossfire attack must be handled byapplication
protocol layers; e.g., overlays that detect effec-tive host
disconnection from the Internet and re-route trafficvia different
host routes [22, 23]. Botnet market disruptionand international
prosecution of attack perpetrators maycomplement technical
countermeasures against these attacks.
�
Figure 1: The Elements of the Crossfire Attack
II. THE CROSSFIRE ATTACK
In this section, we present the steps of the Crossfire
attack.The adversary’s goal is to prevent legitimate traffic
fromflowing into a specific geographic region of the Internet,and
the capability she needs to accomplish that goal is toflood a few
network links in and around that region. Webegin by defining the
two most common terms used in thispaper: the target area and target
link. Then, we describe howan adversary designs an attack using the
bots she controls.Fig. 1 illustrates the concept of the Crossfire
attack.
Target Area: A target area is a geographic region of theInternet
against which an adversary launches an attack;4 viz.,the area
enclosed by the circle in Fig. 1. A typical targetarea includes the
servers of an organization, a city, a state,a region, and even a
country, of the adversary’s choice.
Target Link: A target link is an element of a set of
networklinks the adversary needs to flood so that the target area
iscut off from the rest of the Internet. These carefully
chosennetwork links are the actual target of the flooding
attackwhereas the target area is the real, intended target.
To launch a Crossfire attack against a target area, anadversary
selects a set of public servers within the targetarea and a set of
decoy servers surrounding the target area.These servers can be
easily found since they are chosenfrom publicly accessible servers
(viz., Section V-B). The setof public servers is used to construct
an attack topologycentered at the target area, and the set of decoy
servers isused to create attack flows. Then, the adversary
constructsa “link map”, namely the map of layer-3 links from her
bot
4The attack may have side effects and affect other non-targeted
areas.However, these side effects do not increase attack’s
detectability. They canbe a desired feature whenever the
adversary’s goal is to cut off most of thetraffic at and around a
target area, rather than to surgically isolate a smallnumber of
specific servers.
128
-
addresses to those of the public servers. (The
differencesbetween a link map and a typical router-topology map
arediscussed below.) Once the link map is created, the
adversaryuses it to select the best target links whose flooding
willeffectively cut off the target area from the Internet. Next,the
adversary coordinates the bot-decoy (server) flows toflood the
target links, which would eventually block mostof the flows
destined to the target area. This can be easilydone since target
links are shared by flows to the decoyservers and target area.
Finally, the adversary selects multipledisjoint sets of target
links for the same target area and floodsthem one set at a time, in
succession, to avoid triggering bot-server route changes. The three
main steps needed to launchthe Crossfire attack consist of the link
map construction,attack setup, and bot coordination, as shown in
Fig. 2. Notethat, to extend the duration of the attack, the last
step,namely the bot coordination step, is executed repeatedly
bydynamically changing the sets of target links, which we
willexplain in detail in Section II-D. We describe each of
theadversary’s steps below.
A. Link Map Construction
To flood links leading to a target area, an adversary needsto
construct a link map of the Internet surrounding that area.
1) Traceroute from Bots to Servers:To construct the link map,
the adversary instructs her bots
to run traceroute and find all the router-level routes to
thepublic servers in the target area and the decoy servers.
Theresult of a traceroute is a sequence of IP addresses that
areassigned to the interfaces of the routers on the route, wherea
link is identified by the IP address of the adjacent
router’sinterface. Thus, the sequence of IP addresses represents
thesequence of layer-3 links5 that the attack traffic would
travel.
A link map for the Crossfire attack is different from a typ-ical
router-topology map [18] that attempts to build a router-level
connectivity to analyze topological characteristics (e.g.,node
degree). This attack only needs the list of layer-3 linksand their
relationships to compute a set of target links onthe bot-to-target
area routes, while each link’s membershipto a specific router is
irrelevant. Note that the link mapconstruction does not require IP
alias resolution [24]; i.e.,determining the set of IP interfaces
owned by the same routeris unnecessary. As a consequence, an
adversary can use theordinary traceroute for the link map
construction regardlessof how inaccurate its IP alias resolution
may be [25].
A bot runs multiple traceroutes to the same server in orderto
determine the stability and multiplicity (or diversity) of aroute,
both of which are used for selecting effective targetlinks
(discussed in Section V-D in detail). The traceroute
5Although a single layer-3 link consists of several lower layer
connec-tions that are invisible to the adversary, the flooding on
the layer-3 linkis still effective whenever the adversary’s maximum
bandwidth assumption(e.g., 40 Gbps in our experiments) is correct
along the layer-3 link.
�
traceroute����������
����
��������
������������������������ ���������������������� ������������
�
����
traceroute ��� �����
��!����
����
��������
����������
����
����
��������������� " �#����������$������������ ��!��������
�����
�
����
�����$��
" �#�������
��!������� ��� �����
��!������������
����������
����
��$$����
������ " �#�
��������������������������" �#�����!�$������ ��!�������"
�����!
�
����
����
��� �����
��!������������
Figure 2: The steps of the Crossfire attack.
results are collected by the adversary and used to constructthe
link map.
2) Link-Persistence:The link map obtained in the previous step
cannot be
directly used to find target links since some of the
routesobtained may be unstable. Unstable routes would complicatethe
attack since the adversary may end up chasing a movingtarget. Route
instability is primarily caused by ISPs’ loadbalancing processes
(i.e., forwarding traffic through multipleroutes), which are
supported by most commercial routers[26]. A consequence of load
balancing is that, for thesame bot-to-server pair, some links do
not always appearon the trace of the route produced by multiple
invocations
129
-
of traceroute (viz., the arrowed links of step A-② in Fig.2).
These links are said to be transient, whereas those thatalways
appear on a route are said to be persistent. Theadversary
identifies transient links and removes them fromthe set of
potential target links. Our Internet experimentshows that 72% of
layer-3 links measured by traceroute arepersistent6.
B. Attack Setup
The adversary uses the obtained link map to discover theset of
target links whose flooding cuts off the largest numberof routes to
the target area. Clearly, the larger the proportionof cut routes
out of all possible routes to the target area,the stronger the
attack. The attack-setup step consists of thefollowing two
sub-steps.
1) Flow-Density Computation:The adversary analyzes the link map
for a target area
and computes ‘target-specific attack-flow density’, or
simplyflow density henceforth, for each network link in the
linkmap. The flow density of a persistent link is defined asthe
number of flows between bots and target-area serversthat can be
created through that link. Hence, flow densityis a
target-area-specific metric and can vary widely fromone target area
to another (viz., Section III-A). It is a verydifferent metric from
those used for Internet connectivity,such as the “betweenness
centrality” [20] and the degreeof routers [18, 19] (viz., Section
III-A), and should not beconfused with them.
A high flow density for a link indicates that the linkdelivers
both a large number of attack and legitimate (or non-attack) to a
specific target area, and thus the link becomes agood attack
target. We found that the flow density followsa power-law
distribution in a link map (viz., Section III-A),and this enables
an adversary to easily discover a set of highflow density links
that delivers most traffic to a target area.7
Furthermore, the computed flow density remains largelyunchanged
for at least several hours due to the well-known,long-term
stability of Internet routes [27, 21]. Hence, flowdensity can be
used as a stable and reliable metric by theadversary in selecting
target links.
2) Target-Link Selection:In this step, the adversary finds
multiple disjoint sets of
target links to be flooded. The adversary selects at least
twodisjoint sets of target links and uses them one at a time,
insuccession, to achieve attack persistence (viz., Section
II-D).The goal of this step is to maximize the amount of
disrupted
6The link map obtained may not include backup links since these
linkstypically do not show up in traceroutes. The existence of such
links islargely immaterial to the effectiveness of Crossfire. If
attack traffic spillsover onto backup links and its intensity
dampens appreciably, the adversarycould easily switch to a new set
of target links for the same server area, asshown in Section
II-D.
7The power-law of flow density should not be confused with
connectivityproperties derived from traceroute, such as those for
the degree of routerlevel topology [19].
traffic flowing into the target area by optimal selection
oftarget links using the link map and flow density.
To quantify how much of the traffic to a target area can becut
off by a chosen target-link set, the adversary computesthe
degradation ratio for that target area. The degradationratio is the
fraction of the number of bot-target area routescut by the attack
over the number of all possible bot-targetarea routes. We say that
a route is cut by an attack if theroute contains a target link that
is flooded by the attack.
To select the target links that maximize the degradationratio to
a target area, the adversary must solve the general-ized maximum
coverage problem, which is a well-knownNP-hard problem. Instead of
finding an exact solution,the adversary uses an efficient
heuristic, namely a greedyalgorithm [28], presented in Section
IV-D. The executiontime of our heuristic is very small, namely less
than a minutein all experiments (viz., Section IV-D). This enables
theadversary to adapt to dynamic route changes, if necessary.The
output of this algorithm shows that flooding a few targetlinks can
block a majority of the connections to a targetarea. For example,
flooding ten target links causes a 89%degradation ratio for a small
target area; flooding fifteentarget links can block 33% of
connections flowing to theWest Coast of the US (viz., Section
V-D).
C. Bot Coordination
Once target links are selected at step B-② (Fig. 2),
theadversary coordinates individual bots to flood the targetlinks.
To create flooding flows for a given set of target links,the
adversary assigns to each bot (1) the list of decoy serversand (2)
the send-rates for packets destined to individualdecoy servers. The
send-rates are assigned in such a way thatindividual attack flows
have low intensity (or low bandwidth)while their aggregate
bandwidth is high enough to flood alltarget links. This step
consists of two sub-steps.
1) Attack-Flow Assignment:The goal of the attack-flow assignment
is to make
the aggregate traffic rate at each target link slightly
higherthan the link bandwidth so that all the legitimate flowsare
severely degraded in those links. Two assignment con-straints must
be satisfied. The first is that the adversarymust keep each
per-flow rate low enough so that none ofthe network protection
mechanisms in routers or intrusiondetection systems (IDS) at or
near a server can identify theflow as malicious. The second is that
the aggregate attacktraffic necessary to flood all the targeted
links is relativelyevenly assigned to multiple bots and decoy
servers. Thefirst constraint ensures indistinguishability of attack
flowswhereas the second addresses undetectability both at serversin
the target area and at decoy servers; viz., Section VIfor details.
The adversary first sets the maximum targetbandwidth for each
target link and exhausts it with attackflows. Then, she assigns
individual flows for each target link.
130
-
The rate of an attack flow at a target link is lower-boundedby
the flow density. The average per-flow rate for the targetlink
should be higher than the target bandwidth dividedby the maximum
number of available attack flows on thelink, which is proportional
to its flow density. Moreover,the assignment of the per-flow rate
must take into accountthe maximum flow rate a decoy server can
handle withouttriggering traffic alarms. For example, if a decoy
server isa public web server, one web click per second on average(a
HTTP GET packet per second � 4 Kbps) would not beclassified as
abnormal traffic at the server. Therefore, theadversary can easily
assign a large enough number of attackflows with low per-flow
rates. The adversary also has toassign per-bot and per-decoy server
rates that are evenlydistributed. For enhanced undetectability of
attack traffic atthe bots and the decoy servers, the adversary must
accountfor all previously assigned traffic rates at the bots and
decoyservers whenever assigning new attack flows. The
adversaryconservatively sets the target bandwidth to 40 Gbps,
whichis the most widely used link bandwidth currently
deployed(OC-768) for high bandwidth backbones.
Despite an adversary’s careful attack flow assignment,non-target
links located upstream of the target links couldstill become
congested, which we call early congestion, ifthey have limited
bandwidth and/or the bot density in acertain area is too high. The
adversary can avoid potentialearly congestion using a priori link
bandwidth estimation,which we discuss in detail in Section
IV-C.
2) Target-Link Flooding:The adversary directs her bots to start
generating the
attack flows. Each bot is responsible for multiple attackflows,
each of which is assigned a distinct decoy server withthe
corresponding required send-rate. Bots slowly increasethe
send-rates of their attack flows up to their assigned send-rates,
which makes the attack flows indistinguishable fromthe traffic
patterns of typical ”flash crowds” [29]. Bots canadjust the
intensity of their flow traffic dynamically, basedon the state of
each target link; i.e., if the actual bandwidthof a target link is
less than the assigned attack bandwidth(set in Section II-C1), the
bots stop increasing the rates ofattack flows as soon as the target
link is flooded.
D. Rolling attacks
The adversary can dynamically change the set of targetlinks
(among the multiple sets found previously) and extendthe duration
of the Crossfire attack virtually indefinitely.Continuous link
flooding of the same set of target linkswould lead to bot-server
route changes since it wouldinevitably activate the router’s
failure detection mechanism.Hence, changing the set of target links
assures attack per-sistence and enables the attack to remain a pure
data-planeattack. The adversary can also dynamically change the set
ofbots to further enhance the undetectability of the
Crossfireattack. These dynamic attack execution techniques are
called
rolling attacks in Section IV-B where they are described inmore
detail.
III. TECHNICAL UNDERPINNINGS
In this section, we discuss the two characteristics of
thecurrent Internet which enable the Crossfire attack, namely(1)
the power law of flow-density distribution, which istarget-area
specific, and (2) the independence of the geo-graphical
distribution of bots from target links and attacktargets, which
gives an adversary has a wide choice of botsin different locations
on the globe.
A. Characteristics of Flow-Density Distribution
Before analyzing the distribution of flow density, wemust
distinguish between the attack-specific flow density
andconnectivity-specific metrics, such as the betweenness
cen-trality [20] and the degree of routers [18], which
characterizean Internet topology. Recall that the flow density of a
linkrepresents the number of source-to-destination (i.e.,
bot-to-server in the target area in the Crossfire attack) pairs
whosetraffic crosses the link persistently. In contrast,
betweennesscentrality, which is the number of shortest routes
amongall vertices that pass through an edge in a graph, does
notreflect actual traffic flows and their dynamics. Similarly,
theconnectivity degree of a router, which represents the
router’slayer-3 direct connections to neighbor routers, namely
thetopological connectivity of the router, does not capture
anydynamics of traffic flows. Thus, neither of these metricscould
be used to evaluate the feasibility of the Crossfireattack.
Our analysis on the flow-density distribution is two-fold;first,
we show that it is easy to find target links that haveextremely
high flow density for a selected target area; andsecond, we show
that flow density of a link is not a constantbut varies depending
on a selected target area (i.e., flowdensity is a target-area
specific metric).
1) Universal power-law property of flow-density distribu-tion: A
power-law distribution exhibits a heavy-tail charac-teristic, which
indicates that extreme events are far morelikely to occur than they
would in a Gaussian distribution.More formally, a quantity x obeys
a power-law if it followsa probability distribution
p(x) ∝ x−α for x > x0, (1)
where α is a constant parameter of the distribution known asthe
scaling parameter [30]. The power-law property appearsin the tail
of the distribution (i.e., x > x0)8. If a power-law
8Some past research relied on simple data-fitting methods to
concludethat their datasets follow a power-law distribution [18,
31]; i.e., if ahistogram of empirical datasets is well fitted to a
straight line on log-logscale, a power-law behavior would be
ascribed to the datasets. However,recent studies [32, 25] show that
these data-fitting methods are insufficientto conclude the
power-law compliance of empirical data. According toClauset et al.
[30], the majority of purported power-law datasets fail topass the
rigorous statistical hypothesis test on their power-law
distribution.
131
-
10−1
100
101
102
103
104
10−4
10−3
10−2
10−1
100
Pr(X
≥ x
)
x10
−110
010
110
210
310
410
−4
10−3
10−2
10−1
100
Pr(X
≥ x
)x
x0 = 1138
α = 3.15 p−value = 0.68
(a) East Coast
x0 = 690
α = 3.45 p−value = 0.96
(b) New York
Figure 3: Flow-density distributions for various target
areas:(a) East Coast and (b) New York. The complementarycumulative
distribution functions (CCDFs) (i.e., Pr(X ≥ x))of flow density (x)
for both areas are plotted on log-log scale.
distribution holds for flow density, that would imply that
anadversary could easily find links whose flow density is
manyorders of magnitude higher than average. These links
wouldbecome good targets for attack for a particular target
area.
We use the rigorous statistical test proposed by Clausetet al.
[30]9 to show that a power-law holds for flow-densitydistributions.
We first estimate the parameters (i.e., x0 andα) of power-law
distribution on our flow-density datasets andtest the power-law
hypothesis with the estimated parameters.Fig. 3 shows the
flow-density distributions of two differenttarget areas: (a) East
Coast and (b) New York. The com-plementary cumulative distribution
function (CCDF) (i.e.,Pr(X ≥ x), where x is flow density) of the
flow-densitydatasets is plotted on a log-log scale. As the graphs
show,both distributions are well fitted to the diagonal lines at
thetail. More precisely, we apply the power-law hypothesis
testproposed by Clauset et al. [30] to the measured
flow-densitydataset and obtain the p-value, which indicates the
degreeof plausibility of a hypothesis, for each test. The
p-valuesfor the two target areas (i.e., 0.68 and 0.96) are much
higherthan the significance level, which is often set to 0.05.
Hence,the plausibility of the null hypothesis (i.e., the
flow-densitydistribution follows a power law) is accepted [33].
2) Target-area dependency of flow density:
Unlikeconnectivity-related metrics, which are dependent only
onphysical network connectivity but independent of attacktargets,
flow density is an attack-specific metric; i.e., a targetlink that
has high flow density for a target area may have avery different
density for other areas.
Table I illustrates the top 20 links ordered by flows den-sities
for three target areas of different sizes: the East
Coast,Massachusetts, and Univ2. Naturally, one would expect thatthe
links’ flow densities would follow the obvious link-map inclusion
relations, namely the link map of Univ2 ⊂link map of Massachusetts
⊂ link map of the East Coast.However, Table I shows that the top 20
links for these relatedtarget areas are very different: not only
these links do notfollow the link-map inclusion, but also whenever
some are
9The statistical tools, proposed by Clauset et al. [30], are
available athttp://tuvalu.santafe.edu/∼aaronc/powerlaws/.
Target area Indices of top 20 flow-density links
East Coast01, 02, 03, 04, 05, 06, 07, 08, 09, 10,11, 12, 13, 14,
15, 16, 17, 18, 19, 20
Massachusetts19, 21, 13, 22, 23, 24, 25, 26, 27, 28,29, 30, 31,
32, 33, 34, 35, 36, 37, 38
Univ239, 40, 30, 41, 42, 23, 43, 44, 45, 46,47, 48, 49, 50, 51,
52, 53, 54, 55, 56
Table I: Top 20 flow-density links for three different
targetareas: the East Coast of the US, Massachusetts, and
Univ2.Each link IP address is mapped to a link index. Bold
indicesdenote the links shared by different areas.
shared between areas they have different density ranks.
Forexample, link 19 has the highest flow-density rank whenthe state
of Massachusetts is targeted, and yet it only ranksnext to the last
for the East Coast. Furthermore, link 19does not even appear in the
top 20 link densities of Univ2.This clearly shows that flow density
is a target-area specificmetric, which reveals a link’s usefulness
in an attack thattargets a specific area.
B. Geographical Distribution of Bots
Although the selected target links are highly dependenton the
target area of the attack, they are nearly independentof the choice
of bot distributions; i.e., even if an adversaryuses different sets
of bots that have different geographicdistributions to flood a
target area, the effectiveness ofthe Crossfire attack would remain
nearly unchanged. Toshow this, we performed the following
experiment. First,we partitioned the set of bots into several
subsets based onbots’ geolocation (viz., subsets denoted by Sj , j
= 1, ..., 8in Table II). Then, we selected different subsets to
formsix different bot distributions (viz., distributions denoted
byDistri, i = 1, ..., 6 in Table II), and simulated a
separateCrossfire attack for each distribution against three
differenttarget areas; i.e., East Coast, Pennsylvania, and
Univ1.Finally, we analyzed how the different distributions
affectthe degradation ratios.
The geographical distributions of 620 PlanetLab nodesand 452 LG
servers are as follows: 42% were located inEurope, 39% in North
America, 13% in Asia, and 6% inthe rest of the world (viz., Figure
5). Since the distributionsof PlanetLab nodes and LG servers in
North America andEurope cover wider areas than those in the rest of
the world,we (1) assigned three disjoint subsets to each; i.e., S1,
S2,and S3 to North America and S4, S5, and S6 to Europe;and (2)
constructed the bot distributions such that Distr1,Distr2, and
Distr3 cover a similar number of bots inNorth America and Asia, and
Distr4, Distr5, and Distr6a similar number of bots in Europe and
Asia.
Fig. 4 shows the degradation ratios for the six different
botdistributions shown in Table II and three different-size
targetareas chosen; i.e., East Coast, Pennsylvania, and Univ1.
Foreach target area, we defined a baseline degradation
ratio(denoted by “Baseline” in Fig. 4) as the degradation ratio
132
-
North America Europe Asia OthersS1 S2 S3 S4 S5 S6 S7 S8
Baseline � � � � � � � �Distr1 � � � � � �
Distr2 � � � � � �
Distr3 � � � � � �
Distr4 � � � � � �
Disrt5 � � � � � �
Distr6 � � � � � �
Table II: Different geographic distributions of bots
(Distri)created using different subsets of PlanetLab nodes and
LGservers (Sj).
0 10 20 30 40 500
0.2
0.4
0.6
0.8
1
Number of target links
Deg
rada
tion
Rat
io
Distr1 Distr2 Distr3 Distr4 Distr5 Distr6
Univ1
Pennsylvania
East Coast
Baseline
Figure 4: Degradation ratios for different geographic
distri-butions of PlanetLab nodes and LG servers.
given by an attack launched by all bots available. The
sixdegradation ratios are computed using the same total numberof
routes as that used in the baseline ratio. Thus, if thedegradation
ratio of a certain distribution is close to thebaseline, that
distribution of bots is as damaging to the targetarea as the
baseline (i.e., as all available bots). As shown inFig. 4, the
choice of the six different distributions does notdiminish the
effectiveness of the attack in a measurable way.That is, the
effectiveness of an attack is nearly independentof the geographical
distribution of bots. This is particularlynoticeable in the case of
the small and medium target areawhere the degradation ratios are
almost indistinguishablefrom the baseline.
IV. ATTACK PERSISTENCE AND COST
A. Data-Plane-Only Attack: Indefinite Duration
In this subsection, we discuss how the Crossfire at-tack
maintains its effectiveness, namely a high connectiondegradation
ratio for selected target areas caused by linkflooding (data plane
only), by avoiding any route change(by the control plane) in the
Internet. Clearly, the goal ofthe adversary is to avoid control
plane reaction since thatwould cause routes to change dynamically
in response toany unexpected network-state variations (e.g., due to
linkfailures or high traffic load akin to link flooding).
The Crossfire attack takes advantage of the fact that thecurrent
Internet’s dynamic response to link flooding is tooslow for an
adaptive adversary. That is, if the adversaryperiodically changes
the set of predetermined target linksin less than 3 minutes, she
can maintain a very highconnection degradation ratio without
inducing any Internet
route changes. Thus, the attack duration can be
extendedvirtually indefinitely. The technique of changing the set
oftarget links, namely the rolling attack, is discussed in detailin
Section IV-B. The following two subsections illustratehow slowly
the current Internet would react to the Crossfireattack.
1) Link failure detection: Link-failure detection refersto a
function of a routing protocol that enables a routerto assess the
physical connectivity of its network link toits neighbor router
[34]. A router which misses severalconsecutive control packets
(e.g., hello packets for OSPFor keepalive messages for BGP) in a
specific time interval(default 40 seconds for OSPF or default 180
seconds forBGP) will conclude that the link failed and broadcast
thelink failure to other routers. The consequence of the
linkfailure is two-fold. First, if an intra-AS link fails, the
failurenotification is sent to all the routers within the same
AS,which leads to internal topology changes. In contrast, if alink
between two neighbor ASs (i.e., an inter-AS link) fails,the
failure, in the worst case, could propagate to all the BGPspeaking
routers in the Internet and cause a global topologychange. These
topology changes would redirect the attacktraffic to alternate
routes and invalidate the flow densitiescomputed for the on-going
Crossfire attack.
To measure Internet reaction to link failures, Shaikh et al.[34]
inject traffic that consumes 100% of the capacity of alink and
measure the time for the router to detect the linkfailure. This
experiment shows that it takes 217 seconds fora IGP router (that
runs OSPF or IS-IS) and 1,076 seconds fora BGP router to diagnose
congestion as a failure10. Note thatfailure detection takes much
longer than its default waitingtime interval for the control
packets, namely 40 secondsfor OSPF and 180 seconds for BGP. This is
because somecontrol packets that are queued at the congested
interfaceat a router can successfully reach a neighbor router
evenin severe link congestion. Clearly, the congestion
diagnostictimes are too long to enable rapid reaction to the
Crossfireattack where the adversary can change the set of target
linksfor an area in much less than 3 minutes; viz., the
rollingattacks of the next subsection.
2) Traffic engineering: Most commonly, ISPs use offlinetraffic
engineering techniques, whereby network parametersare periodically
re-optimized based on the estimated trafficmatrix among the
ingress/egress points of their networks[16]. The network parameters
can be the link weights of IGPprotocols (e.g., OSPF or IS-IS) in
pure IP networks [37] orbandwidths of LSP (label switched path)
tunnels in MPLSnetworks [38, 39]. Offline traffic engineering
produces new
10We assume that the OSPF and BGP protocols do not use
shorterintervals for fast failure detection [35], but use default
timers (HelloInterval& RouteDeadInterval for OSPF and
KeepaliveTimer & HoldTimer forBGP). Since most optical fiber
connections (e.g., SONET or SDH) providefailure reports in less
than 50 ms, additional system configuration for fasterlink failure
detection at layer-3 is obviously unnecessary [36].
133
-
routes on a time scale ranging from tens of minutes tohours and
days [15], though more commonly in days andweeks [38, 39, 16]. Even
though it is not frequently used byISPs due to its potential
instability problem, online trafficengineering occurs on a smaller
time scale, namely fromminutes to hours [16, 17]. Given that the
adversary canrepeatedly relaunch the Crossfire attack for new
routes,neither current offline nor online traffic engineering can
offereffective countermeasures.
B. Proactive Attack Techniques: the Rolling Attack
A Crossfire attack is said to be rolling if the adversarychanges
the attack parameters (e.g., bots, decoy servers, andtarget links)
dynamically while maintaining the same targetarea. A rolling attack
can be employed by an adversary tofurther increase
indistinguishability of attack traffic fromlegitimate traffic and
undetectability of all target links bytarget area. Based on the
types of attack parameters that canbe dynamically changed, rolling
attacks can be categorizedinto two types: one that changes bots and
decoy serverswhile maintaining the same target links, and the other
thatchanges target links while maintaining the same target
area.
The main advantage of the first type of attack is thatit further
increases the indistinguishability of the Crossfireflows from
legitimate flows while maintaining the sameattack effects. Since
the source and the destination IPaddresses seen at the selected
target links change overtime, the ISPs cannot easily identify the
source and thedestination IP addresses that contribute to the
attack. Apotential disadvantage is that this attack requires more
botsand decoy servers than the minimum necessary to floodthe target
links. However, the current cost of bots suggeststhat this
disadvantage is insignificant (viz., discussion of botcosts
below).
The second type of rolling attack uses multiple sets ofdisjoint
target links for the same target area. To find themultiple disjoint
sets, the adversary executes the target-linkselection algorithm
(viz., Section II-B2) successively; i.e.,the n-th best set of the
target links is selected after removingthe previously selected
links. The use of multiple disjointsets of the target links
enhances attack undetectability byISPs since ISPs could not
anticipate the adversary’s choiceof targets with certainty. More
importantly, this type ofrolling attack enables Crossfire to remain
a pure data planeattack, as discussed in the previous subsection. A
potentialdisadvantage is that this type of rolling attack may
degradethe effectiveness of the Crossfire attack since the
degradationratio caused by attacking a non-best target set can
belower than that of attacking the best set. However,
thedegradation ratios of different sets of target links shownin
Table III indicate that this degradation is minimal. Inorder to
maximize attack effects while being undetected, theadversary can
alternate the target sets; she would use the bestset for the most
of attacks and switch to the non-best sets
Target link setTarget area Best set 2nd best set 3rd best
set
Univ1 89% 77% 63%Pennsylvania 42% 30% 24%East Coast 21% 16%
14%
Table III: Degradation ratios for different disjoint target
linksets. Each set has 10 target links.
only for a short time interval. For example, if the
adversaryrepeatedly schedules 3 minutes for the attack on the
bestset and next 30 seconds for the second-best set, she
canmaintain the attack towards a target area indefinitely
whilelimiting the reduction of the degradation ratio less than
4%.
C. Avoidance of Early Congestion
Crossfire avoids early congestion, namely the eventwhereby a
non-target link, or more, located upstream ofthe target links
becomes congested. We argue that earlycongestion does not affect
attack feasibility, but instead is amatter of attack provisioning,
which is a very distinct andeasily handled issue by an
adversary.
Bots can easily detect early congestion by regularly per-forming
traceroutes to the target area since if it happens, theywould not
receive most of replies (i.e., ICMP time exceededmessages) from the
congested router and the subsequentrouters on the route. When early
congestion is reportedby the bots, the adversary can re-assign some
attack flowsto over-provisioned bots, to avoid the early
congestion. Inother words, the adversary adaptively assigns attack
flows togeographically distributed bots, so that a sufficient
numberof attack packets reach the target links and flood them.
Notethat additional attack routes to target links can always
befound before the attack and used only if necessary.
In addition to the dynamic assignment of attack flows,the
adversary can instruct bots to estimate the availablebandwidth
towards the target links using a priori bandwidthestimation tools
(e.g., Pathneck [40]) and predict earlycongestion before assigning
attack flows. In this way, theadversary can provision the bots so
that early congestionwould not happen.
D. Execution Time of Target Selection Algorithm
The greedy algorithm of selecting a set of T target linksruns as
follows:Let R, L and T be the set of all bot-to-target area
routes,the set of candidate links for the target area, and the set
oftarget links, respectively. Let li be a link on a route.(1) Add
all distinct links (l′is) of R to L.(2) Take out the highest flow
density link, lmaxi , from L and
add it to T .(3) Recompute the flow density for all li’s in
L.(4) Repeat (2) and (3) until T target links are selected,
i.e.,
until |T | = T .The above algorithm finds the T best target
links that
disconnect the target area in terms of the degradation
ratio,
134
-
Target area T = 10 T = 20 T = 30 T = 40 T = 50
Univ1 0.94 1.87 2.79 3.72 4.65Pennsylvania 3.10 5.46 7.38 8.99
10.38East Coast 13.44 24.93 35.13 43.96 52.05
Table IV: Execution time (in seconds) to select T target
linksfor different target sizes.
in T iterations of steps (2) - (3). Step (3) re-evaluates
flowdensities after removing all routes of R that include lmaxiand
as a consequence, the step ensures that the adversaryselects the
target link that maximally disconnects the targetarea at each
iteration. Table IV shows the execution timestaken by our
experiments. As expected, the execution time isproportional to the
number of target links (T ) for all targetareas, and grows
significantly for a large target area (e.g., 52seconds in selecting
50 target links for the East Coast of theUS), since more unique
links can be found in large targetareas. However, the number of
unique links is bounded bya limited number of routes. This number
is limited becausebot-decoy pairs in the same source and
destination subnetsproduce a single unique route. Hence, the
execution time ofthe algorithm is short enough (e.g., at most a
couple minutes)for an adversary to adapt to all potential route
changes evenfor a large target area, in practice.
E. The Cost of the Crossfire Attack
To launch a Crossfire attack, an adversary needs bots. Toget
them, she can either infect user machines and installher own bots
or buy the bots from Pay-Per Install (PPI)botnet markets [41]. For
cost estimation, we assume thatthe adversary buys the bots from the
markets. Our costestimates are based on a recent analysis of PPI
botnetmarkets [41]. A possible option would be to rent
cloudservices for bot operation from many, say one
hundred,providers around the world. Given the low computation
andcommunication requirements of Crossfire bots and the
high-bandwidth connectivity of data centers to the Internet,
thebots’ behavior during an attack would not trigger
providers’alarms.
PPI botnet markets have region-specific pricing plans.Generally,
bots in the US or the UK are most expensiveand cost $100-$180 per
thousand bots. Bots in continentalEurope cost $20-$60 whereas bots
in the rest of the worldcost less than $10 per thousand bots. The
mix of bots usedin our experiments (presented in Section III-B) has
49%of bots in the US or UK, 37% in continental Europe, and14% in
the rest of the world. If we assume the size ofa bot cluster (β) is
500, the total cost of the Crossfireattack is roughly $46K. Our
experiments also show (viz.,Section V-D) that the minimum number of
required botsthat can flood 10 target links can be as low as
107,200 bots,and hence the attack cost can be as low as $9K. This
impliesthat a single organization or even an individual can launch
amassive Crossfire attack. If the attack is state- or
corporate-
sponsored, many more bots can be purchased and a muchlarger
number of links can be targeted. In this case, theCrossfire attack
could easily disconnect almost 100% of theInternet connections to a
large target area.
V. EXPERIMENT SETUP AND RESULTS
In this section, we demonstrate the feasibility of theCrossfire
attack and its effects on various target areas usingreal Internet
data. In particular, we show how one sets up thebots, decoy
servers, and target area for a Crossfire attack.
A. Bots
Instead of using real bots to perform our experiments,which
would raise ethical [42, 43] and/or legal concerns[44], we use
PlanetLab nodes [45] and Looking Glass (LG)servers as attack
sources. PlanetLab is a global researchtestbed that supports more
than one thousand nodes at549 sites. An LG server is a publicly
available router thatprovides a Web-interface for running a set of
commands,including traceroute [46]. They have been used as
vantagepoints for discovering Internet topology [47, 48, 49].
The PlanetLab and LG server networks provide a
faithfulapproximation of a globally distributed bot network. As
seenin Fig. 5, the 620 PlanetLab nodes and 452 LG servers
arelocated 309 cities in 56 countries. In Section III-B, we
willshow that different bot distributions created using
PlanetLabnodes and LG servers, result in practically the same
attackeffectiveness. Hence, the Crossfire attack using real
bots(e.g., leased from botnet markets) would experience
similarattack effects as in our experiments. A single PlanetLabnode
or LG server represents several hundred bots, given(1) the high
degree of clustering observed in real-bot distri-butions [50, 51],
and (2) the fact that bot-originated trafficfrom the same AS domain
would converge at a router andthen follow the same route, due to
the BGP’s single bestroute selection policy. Hence, the routes we
trace from thePlanetLab nodes or LG servers to the public servers
in thetarget area, allows us to build the actual Internet link
mapof the target area. We call the group of bots represented bythe
same PlanetLab node or LG server a bot cluster, andexperiment with
cluster sizes of 100, 200, and 500 bots.
B. Decoy servers
Decoy servers, which are the destinations for attack traffic,can
be any public server whose physical location is nearbya target
area. Among various possible ways an adversarycould select decoy
servers, one way is to find servers ofpublic institutions (e.g.,
universities and colleges) physicallylocated surrounding the target
area. For example, the serversof a university or college are
typically located on their
135
-
�Figure 5: A map of geographic locations of the 620 Planet-Lab
nodes (red pins) and 452 LG servers (blue pins) usedin our
experiments.
campus11.We found 552 institutions (i.e., universities and
colleges)
on both the East Coast (10 states) and West Coast (7 states)of
the US, which can provide large numbers of decoyservers. The list
of institutions in a specific US state is easilyfound on the Web12.
An adversary can find a minimum of1,000 public servers within an
institution. For example, wefound 2,737 and 7,411 public web
servers within Univ1 inPennsylvania and Univ2 in Massachusetts,
respectively, viaport-scanning. Had we used real bots, port
scanning dutieswould be distributed to each bot and would be
performedover a period of time, to avoid triggering IDSs or
firewallalarms at those institutions. Similarly, an adversary
coulduse 351,000 public servers located in 351 institutions on
theEast Coast of the US, and 201,000 public servers in
201institutions on the West Coast.
C. Target area
A target area is the geographic location where an ad-versary
wants to block Internet traffic. To establish thatthe Crossfire
attack works for various target-area sizes,we used three different
configurations: small, medium, andlarge. For the small area size,
we set a single organizationas the target area. Specifically, we
set Univ1 and Univ2as examples of small-sized target areas. As
examples ofmedium-sized areas, we picked four US states, namely
NewYork, Pennsylvania, Massachusetts, and Virginia. Finally,we
picked ten states on the East Coast and seven on theWest Coast as
two examples for large target areas. Note thatthe large target
areas’ sizes could conceivably represent amedium-size country. For
a small or medium target area,we chose decoy servers outside the
target area for theundetectability of attack flows. However, for a
large targetarea, we chose decoy servers inside the target area
since
11The adversary might use a public search engine, such as
SHODAN(http://www.shodanhq.com), to gather a large number of
publicly accessibleIPs at a geographical location. However, use of
SHODAN would requirecross-validation of the IP addresses in a
geolocation due to possible searchinaccuracies. Cross-validation
would be a fairly simple matter of comparingresults of multiple IP
geolocation services for a certain target area
12http://www.4icu.org/
Target area Number of Number ofpublic servers decoy serversin
target area
Univ1 1,000 350,000Univ2 1,000 350,000
New York 86,000 265,000Pennsylvania 82,000 269,000Massachusetts
54,000 297,000
Virginia 34,000 317,000
East Coast (US) 351,000 351,000West Coast (US) 201,000
201,000
Table V: The extrapolated numbers of public servers in
targetareas and decoy servers used for attacking each target areain
our experiments
the wide array of decoy servers within the area would
notdiminish the Crossfire’s undetectability.
Table V illustrates the extrapolated numbers of publicservers in
the target areas and decoy servers used forattacking those areas.
Note that the extrapolation is basedon that an adversary can find
1,000 public servers within aninstitution.
D. Results
We performed Internet-scale experiments to verify thefeasibility
and the impact of the Crossfire attack based onthe steps described
in Section II. For each attack target areaillustrated in Table V,
we construct a link map (Step 1,viz., Section II-A) and select the
target links (Step 2, viz.,Section II-B), using the PlanetLab nodes
and LG servers, andpublic servers in the target area.
Bot-coordination (Step 3,viz., Section II-C) is performed via
simulations, for obviousethical and legal reasons. However, the
simulations use thereal link map and data obtained from the first
two attacksteps illustrated in Fig. 2. In this section, we
summarize theresults of our experiments.
Link map. We gather traceroute data from all the Planet-Lab
nodes and LG servers (i.e., sources) to all the institutionsin the
target areas (i.e., destinations) and construct thelink maps
centered on the target areas of the East andWest Coasts of the US.
For each source-destination pair,we run a traceroute six times to
diagnose link persistence.Since multiple traceroute packets (i.e.,
ICMP packets) tothe same destination are independently
load-balanced at aload-balancing router [26], running six
traceroutes is enoughto determine whether a link on the route is
persistent ortransient. We classify a link as persistent if the
link appearsin all six traceroute results. The false positive
probability,namely the probability that we falsely determine a
transientlink as persistent, is at most 0.016 (� 2−6). This is
thecase because the highest false positive probability is
reportedwhen a router, which has two load-balancing links to the
nexthop router, happens to select the same link in forwardingsix
traceroute packets originated from the same source. If
136
-
Target area Percentage of persistent links
Univ1 79.99 %Univ2 70.37 %
New York 69.70 %Pennsylvania 75.68 %Massachusetts 74.11 %
Virginia 70.32 %
East Coast (US) 71.78 %West Coast (US) 72.37 %
Table VI: Percentage of persistent links per target area
the router has more load-balancing links, the false
positiveprobability becomes lower.
We summarize the percentages of persistent links foundby
traceroutes in Table VI. Regardless of the size of a targetarea,
the majority of the discovered links are persistent andhence can be
used for the Crossfire attack. This result showsthat even though
traffic load-balancing through multiplelinks is widely implemented
by ISPs in the current Internet,a large portion of Internet links
are persistent. This enablesthe adversary to easily find
(persistent) target links. In thefollowing subsection, we discuss
how the adversary finds thetarget links whose congestion would
effectively disconnecta target area.
Link Coverage. Although one could not demonstrate thatall links
leading to a target area can be found by traceroute,one could show
that all critical links can be found for atarget area. To show this
we selected different uniformly-distributed subsets of the 1,072
bots used (i.e., PlanetLabnodes and LG servers); e.g., subsets of
10%, 20%,..., 90%of all bots. We computed their degradation ratios
for threetarget areas and plotted those against the baseline
degra-dation ratio produced by all 1,072 bots. Figure 6 showsthat,
for each target area, beyond a certain bot-subset size,the
differences in deviations from the baseline degradationratios taper
off, indicating that additional critical links whichwould increase
degradation ratios can no longer be found;i.e., that size is
approximately 10% of all bots for Univ1,20% for Pennsylvania, and
50% for the East Coast. In similarexperiments, if we vary
server-subset sizes beyond a certaintarget-area related threshold,
additional critical links thatwould increase the degradation ratios
could not be foundany longer. These two experiments suggest that
the criticallinks we find adequately cover the flows toward a
target area.
Flow density. To compute flow densities of all persistentlinks
of the link map, we count the number bot-to-target arearoutes on
those links. As expected, the distribution of flowdensities is
highly non-uniform, namely it follows a power-law distribution;
i.e., a few links have unusually high flowdensities while most of
the other links have much lower flowdensities (viz., Section
III-A). The power-law distributionof flow densities makes the
Crossfire attack very effectiveindeed. That is, flooding only a few
high flow-density linkswould effectively disconnect a large number
bot-target area
�� �� �� �� �
���
��
��������������
��������
�� �� �� �� �
���
��
��������������
��������
�� �� �� �� �
���
��
��������������
��������� �� �� �� �� ���
���
���
���
���
���
���
���
���
���
�
������������
��������
����!�"����
#��"�
����!�"����
#��"�
��������
��������
�������������
��������
�������������
��������
�������������
����������������������
Figure 6: Deviations from baseline degradation ratios
fordifferent bot subsets.
0 10 20 30 40 500
0.2
0.4
0.6
0.8
1
Number of target links
Deg
rada
tion
Rat
io
Univ1Univ2New YorkPennsylvaniaMassachusettsVirginiaEast Coast
(US)West Coast (US)
Figure 7: Degradation ratios for various target areas
fordifferent numbers of target links.
routes.After computing the flow densities of all persistent
links,
we select a set of target links using the greedy
algorithmspecified in Section IV-D. Recall that we do not select
linksthat are located close to a target area (more precisely,
linkswhose distance from the target area is less than or equalto
three hops) to avoid attack detection by any servers inthe target
area. For example, the average hop distance fromthe selected target
links to Univ1 and Univ2 are 3.67 and4.33, respectively13. Note
that even though we eliminatelinks that are less than three hops
away from the target area,we can effectively find target links with
sufficiently largeflow densities as discussed in the following
subsection.
Degradation ratio. Fig. 7 shows the degradation ratiosfor
various target areas with different numbers of targetlinks. As
shown in this figure, the increase in the degradation
13For medium and large areas, the hop distance can be measured
relativeto the peripheral servers.
137
-
Small area Medium area Large area0
1
2
3
Ave
rage
Sen
d−R
ate
(Mbp
s)
(Univ1) (Pennsylvania) (East Coast of USA)
Per−Bot (β=100)Per−Bot (β=200)Per−Bot (β=500)Per−DecoyServer
Figure 8: Per-bot, per-decoy server average send-rates
fordifferent bot cluster sizes (β).
ratio achieved by flooding additional target links diminishesas
we flood more links; e.g., flooding the first five targetlinks for
attacking Univ1 results in an 83% degradation ratiowhereas flooding
five additional target links increases thedegradation ratio by only
6%. This trend clearly shows thatthe power-law distribution of the
flow density enables theadversary to achieve a high degradation
ratio by floodingonly a few target links. In general, the smaller
the targetarea, the higher degradation ratio, because smaller
targetareas have relatively few links that deliver most of the
trafficto them. For example, when flooding 15 target links,
thedegradation ratio of a large area (i.e., West Coast of US) isas
high as 32.85%, that of a medium area (i.e., Virginia) isas high as
53.05%, and that of a small area (i.e., Univ1) isas high as 90.52%.
This result may be misinterpreted andconclude that the Crossfire
attack would damage only smalltarget areas. In reality, when the
attack effects are measuredin terms of the total number of
effectively disconnected end-users (or hosts) in a target area, the
attack appears to befar more lethal to a large target area than a
small one. Forexample, a Crossfire attack against West Coast using
15target links effectively disconnects only 32.85% of traffic,yet
the number of affected servers is huge.
Attack bots and flows. To flood the selected targetlinks, we
assign attack flows to bots by providing the listof decoy server
IPs and corresponding flow rates. In ourexperiments, we set a 4
Kbps per-flow rate, which can beachieved by sending one HTTP GET
message per second,for the indistinguishability of the Crossfire
attack. Whilemaintaining the low per-flow rate, we assign the
attackflows evenly to the multiple bots and decoy servers.
Weconservatively assume that the bandwidth of target links is40
Gbps, which ensures the presence of at least 107 (i.e.,40 Gbps/4
Kbps ) attack flows through each target link.
Fig. 8 shows the per-bot and per-decoy server averagesend-rates
for three target areas of different sizes whenflooding ten selected
target links. Notice that for the largebot cluster size (β), we
achieve lower per-bot send-ratesince the attack flows can be more
evenly distributed. Animportant observation is that for any target
area, the per-bot average send-rate can be much lower than 1
Mbps
when the bot cluster size (β) equals 500 (i.e., 536,000 botsin
total). This shows that the adversary can aggregate asufficiently
large number (i.e., 107) of low-rate (i.e., 4 Kbps)attack flows at
each selected target link and thus successfullyexceed the bandwidth
(i.e., 40 Gbps) of the target link whilemaintaining low per-bot and
per-decoy server average send-rates. If the adversary uses more
bots and decoy servers inpractice, these average rates would become
even lower.
VI. ATTACK CHARACTERISTICS
The Crossfire attack has four distinct characteristics
whichdistinguish it from ordinary DDoS attacks, namely
unde-tectability, attack-flow indistinguishability, flexibility in
thechoice of targets, and persistence in terms of attack
duration.
Undetectability at the Target Area. The Crossfire at-tack uses
all legitimate flows to flood target links. Eachbot creates
ordinary connections (e.g., HTTP) with a setof decoy servers
following the adversary’s (i.e., the bot-master’s) assignments, and
hence individual connections donot trigger an attack alarm at the
servers. Since a target areais not directly attacked and the decoy
servers near the targetarea do not see any suspicious traffic, the
servers in thetarget area would be unable to detect the attack.
Even decoyservers would be unable to detect the attack since the
well-coordinated flows to the decoy servers would cause only afew
Mbps bandwidth increase to each server. Furthermore,the adversary
can easily select target links among the linksin the target set
that are several hops (i.e., at least 3 hops inour experiments)
away from the target area since links withhigh flow density are
usually located in the core backbonenetworks. This makes it
difficult even for the target links toidentify an attack.
Indistinguishability of Flows in Routers. In the Cross-fire
attack, a large number of low-rate attack flows passthrough a
target link. Hence, a router connected to the targetlink cannot
distinguish the attack flows from legitimate ones.In other words,
since all the attack flows carry differentsource IP addresses and
destination IP addresses, the highbandwidth aggregation mechanisms
(e.g., Pushback [52],PSP [14]) become ineffective even if they are
employed atall routers along the attack routes. Inspecting the
payloadof each packet would not help either because the attackflows
carry the same payload as that of legitimate flows.Moreover,
flooding target links with different sets of bots(e.g., the rolling
attack, viz., Section IV-B) would furtherenhance this inherent
indistinguishability of attack flows inrouters.
Persistence. The Crossfire attack is able to disconnect atarget
area persistently by controlling the bot traffic so as notto
trigger any control plane changes (e.g., route changes).This is
achieved by using stable routes in rolling attacks,which change an
active set of target links dynamically(viz., Section IV-B). In
essence, a rolling attack makes theCrossfire attack a pure data
plane attack, thereby leaving
138
-
the control plane of the Internet unchanged. This extendsthe
attack duration virtually indefinitely. The details of theattack
persistence are presented in Section IV-A.
Flexibility. The Crossfire attack can be launched againstany
target area (regardless of its size) since an adversarycan usually
find a large number of public servers inside thattarget area and
decoy servers near it; e.g., the adversary canselect any of the
many publicly accessible servers withoutneeding permission from
that server. This offers a great dealof flexibility in the
adversary’s choice of a target area, whichis one of the most
important characteristics that distinguishthe Crossfire attack from
other link-flooding attacks (viz.,Related Work in Section VII). Our
adversary’s choice isenhanced by its low-rate flows used by the
bots since theresulting attack flows would not trigger individual
alarms inany potential target area.
VII. RELATED WORK
A. Control Plane DDoS Attacks
DDoS attacks against a network link, even if launchedwith
low-rate traffic, can disrupt a routing protocol (e.g.BGP) and
ultimately trigger instability in the Internet. Thisclass of
attacks, which we call Control Plane DDoS attack,first proposed by
Zhang et al. [53], exploits the fact thatthe control plane and data
plane use the same physicalmedium. This fate-sharing allows an
unprivileged adversaryto convince a BGP speaking router that its
BGP sessionhas failed. Schuchard et al. in [5] extended this attack
tomultiple BGP sessions, which were selected based on
thebetweenness centrality measures of the network topology.They
showed that their CXPST attack can generate enoughBGP updates to
cripple the Internet’s control plane.
In contrast, the Crossfire attack is pure data plane
attack,which maintains the effects of the attack persistently
bysuppressing any control plane reaction.
B. Attacks against Links
The recent Coremelt attack [7] demonstrates how a set ofbots can
send packets to each other and flood a set of ASbackbone routers.
The key characteristic of Coremelt is thatit creates only wanted
traffic and thus it eludes all defensemechanisms that filter
unwanted traffic. Furthermore, thistraffic is not subject to the
congestion-control mechanismsof TCP and can thus exceed typical TCP
traffic bounds.This unique advantage cannot be exploited in
Crossfire,since the ends of its attack flows are not bots.
Thus,Crossfire uses protocol messages that are unencumbered
bycongestion control; e.g., HTTP GET requests. In contrastwith
Coremelt, Crossfire creates very low intensity traffic(e.g., 4 Kbps
flows) to decoy servers, which can be anypublic IP addresses.
Furthermore, it can flood any of theselected target links
regardless of the distribution of bots,and its server-disconnection
effects at a target area are easilypredictable. Crossfire is more
persistent than Coremelt, since
Design Goal Crossfire Coremelt
Flexibility of targeting server areas High N/GBot-distribution
independence Y NPersistence Higher Lower· Data vs. control plane
distinction· Robustness against route changesDistribution of target
links across multiple ISPs Y N/GIndistinguishability at routers Y
Y*Undetectability at target area servers Y N/GReliance on wanted
flows only N Y(* only if bot-to-bot flow intensity does not exceed
router bounds.
N/G = “Not a design Goal”)
Table VII: Crossfire vs. Coremelt [7] Differences
it does not trigger control-plane reaction (e.g., BGP
routechanges [5]) and it can easily evade route-change
counter-measures produced by online traffic engineering.
Finally,unlike Coremelt, which targets the backbone routers ofan
AS, Crossfire aims to select routers and links that aredistributed
across ASs of different ISPs, such that no singleISP could counter
the attack. In short, the Crossfire attack isdifferent from
Coremelt as it shares neither all the goals northe attack
techniques of Coremelt. Table VII summarizes thekey differences
between Crossfire and Coremelt.
C. Large-Scale Connectivity Attacks
The technical underpinnings of the Crossfire attack arealso
related to research on the robustness of Internet con-nectivity to
attacks that disable routers or links [54, 55, 56].Albert et al.
[54] illustrate that if an adversary disables 4%of the highly
connected routers, the entire Internet wouldbreak up into small
isolated pieces. However, later work byMagoni [55] and Wang et al.
[56] concludes that all suchattacks would be infeasible because of
the huge number ofrouters or links that need to be
disconnected.
The main distinction between the Crossfire attack and thisline
of work is that our notion of (dis)connectivity capturesthe
practical realities of the Internet; we say that a node Ais
(effectively) disconnected from a node B whenever thepersistent
route from A to B is severely congested (viz.,Section II-A2).
The Crossfire attack also has a clearly different goal fromthe
routing attack proposed by Bellovin and Gansner thatcuts multiple
network links to attract a certain traffic tocompromised routers
for eavesdropping purposes [6].It isalso different from the DoS
source-detection technique pro-posed by Burch and Cheswick [57]
whereby a victim serverattempts to flood various routers and
measure decreases inattack traffic – a telltale sign identifying
attack sources onthe router’s path.
D. Brute-Force DDoS Attacks
The goals of the Crossfire attack are fundamentally dif-ferent
from those of conventional brute-force DDoS attacks[1, 2, 29, 58]
in at least three respects. First, it has aflexible choice of
targets in a much more scalable range
139
-
than those of DDoS attacks (e.g., from servers of a
singleenterprise, to those of a state or country). Second, its
attacksources (i.e., bot hosts) are undetectable by any
targetedservers, since they do not receive attack messages, andby
network routers, since they receive only low-intensity,individual
flows that are indistinguishable from legitimateflows. Third, its
persistence against the same set of targetscan be extended
virtually indefinitely by changing attackparameters. The Crossfire
advantage of the flexible choiceof targets in a geographic area is
shared by the geo-targetedDDoS attacks in cellular networks
proposed by Traynor et al.[59]. However, these attacks are less
relevant for the Internet.
VIII. CONCLUSION
The proliferation of bot networks seems unavoidable, forat least
as many reasons as that of malware, the primaryreason being
successful large-scale social engineering scamsagainst unsuspecting
users world-wide. End-server botsflooding the Internet router
fabric to effectively disconnectother end-server systems is the
penultimate insult to the end-to-end argument in network design,
the ultimate being, ofcourse, the loss of end-to-end trust caused
by malware inend-servers [60].
The question of whether it is possible to counter an attacksuch
as Crossfire arises naturally given the current
Internetarchitecture and ISP operations. Preliminary analysis
sug-gests that combinations of multiple countermeasures againstsuch
attacks may, in fact, become necessary. As arguedin Section IV, no
single ISP can counter such an attackwhenever the flooded links
reside in different ISP domains,regardless of the quality of
traffic engineering techniquesemployed by individual ISPs. Whether
ISP coordination be-comes practical despite of competitive
concerns, remains tobe seen. Another possibility would be to
support applicationlayer overlays that would route around flooded
links byselecting different server routes in response to
link-floodingalerts. Yet another possibility would be to deter
massiveattacks by both preemptive and retaliatory disruption of
botmarkets with certainty. This would require analysis of
botmarkets along the lines of described by Caballero et al.
[41].Finally, international agreements regarding prosecution
oftelecommunication-infrastructure attacks may also becomenecessary
[61].
ACKNOWLEDGEMENTSWe are grateful to Hsu-Chun Hsiao, Yongdae Kim,
Adrian
Perrig, Vyas Sekar, and the symposium reviewers for
theirinsightful comments and suggestions. This research
wassupported in part by CyLab at Carnegie Mellon undercontract
W911NF-09-1-0273 from the US Army ResearchOffice, and by the
National Science Foundation (NSF) undergrants CNS1040801. The views
and conclusions containedin this document are solely those of the
authors and shouldnot be interpreted as representing the official
policies, eitherexpressed or implied, of any sponsoring
institution, the U.S.government or any other entity.
REFERENCES
[1] V. D. Gligor, “Guaranteeing access in spite of
distributedservice-flooding attacks,” in Security Protocols
Workshop,2003, pp. 80–96.
[2] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack
andDDoS defense mechanisms,” SIGCOMM Comput. Commun.Rev., vol. 34,
no. 2, pp. 39–53, Apr. 2004.
[3] F. C. Freiling, T. Holz, and G. Wicherski, “Botnet
tracking:exploring a root-cause methodology to prevent
distributeddenial-of-service attacks,” in Proceedings of
ESORICS’05.Berlin, Heidelberg: Springer-Verlag, 2005, pp.
319–335.
[4] D. Dagon, G. Gu, C. Lee, and W. Lee, “A taxonomy of
botnetstructures,” in Computer Security Applications
Conference.ACSAC 2007. Twenty-Third Annual, dec. 2007, pp. 325
–339.
[5] M. Schuchard, A. Mohaisen, D. Foo Kune, N. Hopper,Y. Kim,
and E. Y. Vasserman, “Losing control of the in-ternet: using the
data plane to attack the control plane,” inProceedings of NDSS
2011. ACM, 2010, pp. 726–728.
[6] S. M. Bellovin and E. R. Gansner, “Using link cuts to
attackinternet routing,” Tech. Rep., ATT Research, 2004, Work
inProgress 2003 USENIX.
[7] A. Studer and A. Perrig, “The Coremelt attack,” in
Proceed-ings of ESORICS’09. Berlin, Heidelberg:
Springer-Verlag,2009, pp. 37–52.
[8] J. Nazario, “DDoS attack trends through 2009-2011,” NANOG54,
Feb. 2012.
[9] P. Ferguson, “Network Ingress Filtering: Defeating Denial
ofService Attacks which employ IP Source Address Spoofing,”RFC
2827, 2000.
[10] A. Yaar, A. Perrig, and D. Song, “SIFF: A Stateless
InternetFlow Filter to Mitigate DDoS Flooding Attacks,” in
Proceed-ings of the IEEE Security and Privacy Symposium, 2004.
[11] Xiaowei Yang and David Wetherall and Thomas Anderson,“A
DoS-limiting network architecture,” in SIGCOMM ’05,2005.
[12] R. Moskowitz and P. Nikander, “Host Identity Protocol
(HIP)Architecture,” RFC 4423, 2006.
[13] D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen,D.
Moon, and S. Shenker, “Accountable Internet Protocol(AIP),” in ACM
SIGCOMM, 2008.
[14] J. C.-Y. Chou, B. Lin, S. Sen, and O. Spatscheck,
“ProactiveSurge Protection: a defense mechanism for
bandwidth-basedattacks,” IEEE/ACM Transactions on Networking
(TON),vol. 17, no. 6, pp. 1711–1723, 2009.
[15] A. Feldmann, A. Greenberg, C. Lund, N. Reingold, J.
Rex-ford, and F. True, “Deriving traffic demands for operational
IPnetworks: methodology and experience,” in ACM SIGCOMMComputer
Communication Review, vol. 30, no. 4. ACM,2000, pp. 257–270.
[16] N. Wang, K. Ho, G. Pavlou, and M. Howarth, “An overviewof
routing optimization for Internet traffic engineering,”
Com-munications Surveys Tutorials, IEEE, vol. 10, no. 1, pp. 36–56,
quarter 2008.
[17] K. Levanti, “Routing management in network
operations,”Ph.D. dissertation, Carnegie Mellon University,
2012.
[18] M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On power-law
relationships of the internet topology,” in Proceedingsof SIGCOMM
’99. ACM, 1999, pp. 251–262.
[19] A. Lakhina, J. W. Byers, M. Crovella, and P. Xie,
“Samplingbiases in IP topology measurements,” in Proceedings
ofINFOCOM, vol. 1. IEEE, 2003, pp. 332–341.
[20] M. E. Newman, “A measure of betweenness centrality basedon
random walks,” Social networks, vol. 27, no. 1, pp. 39–54,2005.
140
-
[21] I. Cunha, R. Teixeira, and C. Diot, “Measuring and
charac-terizing end-to-end route dynamics in the presence of
loadbalancing,” in Proceedings of PAM’11. Berlin,
Heidelberg:Springer-Verlag, 2011, pp. 235–244.
[22] Y. Amir and C. Danilov, “Reliable communication in
overlaynetworks,” IEEE/IFIP International Conference on Depend-able
Systems and Networks (DSN 2012), vol. 0, p. 511, 2003.
[23] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS:
secureoverlay services,” in Proceedings of SIGCOMM ’02. NewYork,
NY, USA: ACM, 2002, pp. 61–72.
[24] J. Sherry, E. Katz-Bassett, M. Pimenova, H. V.
Madhyastha,T. Anderson, and A. Krishnamurthy, “Resolving IP
aliaseswith prespecified timestamps,” in Proceedings of IMC ’10.New
York, NY, USA: ACM, 2010, pp. 172–178.
[25] W. Willinger, D. Alderson, and J. C. Doyle, “Mathematicsand
the Internet: A source of enormous confusion and greatpotential,”
American Mathematical Society, 2009.
[26] B. Augustin, T. Friedman, and R. Teixeira, “Measuring
load-balanced paths in the internet,” in Proceedings of IMC ’07.New
York, NY, USA: ACM, 2007, pp. 149–160.
[27] V. Paxson, “End-to-end routing behavior in the internet,”
inProceedings on SIGCOMM ’96. New York, NY, USA: ACM,1996, pp.
25–38.
[28] R. Cohen and L. Katzir, “The generalized maximum
coverageproblem,” Information Processing Letters, vol. 108, no. 1,
pp.15 – 22, 2008.
[29] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash
crowdsand denial of service attacks: characterization and
implica-tions for CDNs and web sites,” in Proceedings of WWW
’02.New York, NY, USA: ACM, 2002, pp. 293–304.
[30] A. Clauset, C. R. Shalizi, and M. E. J. Newman,
“Power-LawDistributions in Empirical Data,” SIAM Review, vol. 51,
no. 4,pp. 661–703, 2009.
[31] O. Narayan and I. Saniee, “Scaling of load in
communicationsnetworks,” Phys. Rev. E, vol. 82, p. 036102, Sep
2010.
[32] M. P. H. Stumpf and M. A. Porter, “Critical truths
aboutpower laws,” Science, vol. 335, no. 6069, pp. 665–666,
2012.
[33] S. Ross, Introduction to Probability and Statistics for
En-gineers and Scientists, ser. Wiley series in probability
andmathematical statistics. Academic Press/Elsevier, 2009.
[34] A. Shaikh, A. Varma, L. Kalampoukas, and R. Dube, “Rout-ing
stability in congested networks: Experimentation andanalysis,” in
Proc. of ACM SIGCOMM, 2000, pp. 163–174.
[35] P. Francois, C. Filsfils, J. Evans, and O.
Bonaventure,“Achieving sub-second IGP convergence in large IP
net-works,” SIGCOMM CCR, vol. 35, no. 3, pp. 35–44, Jul. 2005.
[36] G. Iannaccone, C.-N. Chuah, S. Bhattacharyya, and C.
Diot,“Feasibility of ip restoration in a tier 1 backbone,”
Network,IEEE, vol. 18, no. 2, pp. 13 – 19, mar-apr 2004.
[37] B. Fortz, J. Rexford, and M. Thorup, “Traffic engineering
withtraditional IP routing protocols,” Communications
Magazine,IEEE, vol. 40, no. 10, pp. 118 – 124, oct 2002.
[38] B. Davie and A. Farrel, MPLS: Next Steps, ser.
MorganKaufmann Series in Networking. Elsevier/Morgan
KaufmannPublishers, 2008.
[39] T. Nadeau, MPLS Network Management: MIBs, Tools,
andTechniques, ser. Morgan Kaufmann Series in Networking.Elsevier
Science, 2002.
[40] N. Hu, L. E. Li, Z. M. Mao, P. Steenkiste, and J.
Wang,“Locating internet bottlenecks: algorithms, measurements,and
implications,” in Proceedings of SIGCOMM ’04. NewYork, NY, USA:
ACM, 2004, pp. 41–54.
[41] J. Caballero, C. Grier, C. Kreibich, and V. Paxson,
“Mea-suring Pay-per-Install: The Commoditization of Malware
Distribution,” in Proceedings of the 20th USENIX
SecuritySymposium, Aug. 2011.
[42] IEEE Policies. IEEE, February 2012, ch. 7.8 IEEE Code
ofEthics.
[43] “ACM Code of ethics and professional conduct,” Commun.ACM,
vol. 35, no. 5, pp. 94–99, May 1992.
[44] FBI National Press Office, “Over one mil-lion potential
victims of botnet cyber
crime,”http://www.fbi.gov/news/pressrel/press-releases/over-1-million-potential-victims-of-botnet-cyber-crime,June
13, 2007.
[45] PlanetLab., “http://www.planet-lab.org/.”[46]
Traceroute.org, “Public route server and looking glass site
list,” http://www.traceroute.org/.[47] L. Subramanian, S.
Agarwal, J. Rexford, and R. Katz,
“Characterizing the internet hierarchy from multiple
vantagepoints,” in Proceedings of INFOCOM 2002, vol. 2, 2002,
pp.618 – 627 vol.2.
[48] F. Wang and L. Gao, “On inferring and characterizing
Internetrouting policies,” in Proceedings of IMC ’03. New York,
NY,USA: ACM, 2003, pp. 15–26.
[49] B. Augustin, B. Krishnamurthy, and W. Willinger,
“IXPs:mapped?” in Proceedings of IMC ’09. New York, NY, USA:ACM,
2009, pp. 336–349.
[50] D. Dagon, C. Zou, and W. Lee, “Modeling botnet
propagationusing time zones,” in In Proceedings of the 13 th
Network andDistributed System Security Symposium NDSS, 2006.
[51] S. Staniford, V. Paxson, and N. Weaver, “How to own
theInternet in your spare time,” in Proceedings of the 11thUSENIX
Security Symposium. Berkeley, CA, USA: USENIXAssociation, 2002, pp.
149–167.
[52] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V.
Paxson,and S. Shenker, “Controlling high bandwidth aggregates in
thenetwork,” SIGCOMM Comput. Commun. Rev., vol. 32, no. 3,pp.
62–73, Jul. 2002.
[53] Y. Zhang, Z. M. Mao, and J. Wang, “Low-rate TCP-targetedDoS
attack disrupts internet routing,” in Proc. 14th AnnualNetwork
& Distributed System Security Symposium, 2007.
[54] R. Albert, H. Jeong, and A.-L. Barabasi, “Error and
attacktolerance of complex networks,” NATURE, vol. 406, p.
378,2000.
[55] D. Magoni, “Tearing down the Internet,” Selected Areas
inCommunications, IEEE Journal on, vol. 21, no. 6, pp. 949 –960,
aug. 2003.
[56] Y. Wang, S. Xiao, G. Xiao, X. Fu, and T. H.
Cheng,“Robustness of complex communication networks under
linkattacks,” in Proceedings of ICAIT ’08. New York, NY, USA:ACM,
2008, pp. 61:1–61:7.
[57] H. Burch and B. Cheswick, “Tracing anonymous packets
totheir approximate source,” in Proceedings of the 2000 UsenixLISA
Conference, 2000, pp. 319–327.
[58] D. Moore, G. Voelker, and S. Savage, “Inferring
InternetDenial-of-Service Activity,” in Proceedings of the 10th
UsenixSecurity Symposium, 2001, pp. 9–22.
[59] P. Traynor, W. Enck, P. Mcdaniel, and T. La Porta,
“Exploitingopen functionality in SMS-capable cellular networks,”
Jour-nal of Computer Security, vol. 16, no. 6, pp. 713–742,
2008.
[60] D. D. Clark and M. S. Blumenthal, “The end-to-end argu-ment
and application design: The role of trust,” in
FederalCommunications Law Journal, vol. 63, 2011, pp. 357–390.
[61] International Telecommunication Union,
“http://www.itu.int.”
141